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ABSTRACT 



This invention provides a method for accelerating muhiplication of an elliptic curve point 
5 Q(x,y) by a scalar k, the method comprising the steps of selecting an elliptic curve over a 
finite field Fq where q is a prime power such that there exists an endomorphism V(/, where 
v|/(Q) = k'Q for all points Q(x,y) on the elliptic curve; and using smaller representations 
ki of the scalar k in combination with the mapping V|/ to compute the scalar multiple of 
the elliptic curve point Q. 

10 
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A METHOD FOR ACCELERATING CRYPTOGRAPfflC OPERATIONS 

ON ELLIPTIC CURVES 
This invention relates to a method for accelerating certain cryptographic operations on a 
class of elliptic curves. 

5 

BACKGROUND OF THE INVENTION 

Public-key data communication systems are used to transfer information between a pair 
of correspondents. At least part of the information exchanged is enciphered by a predetermined 
mathematical operation by the sender and the recipient may perform a complementary 
10 mathematical operation to decipher the information. 

Various protocols exist for implementing such a scheme and some have been v^^idely 
used. In each case however the sender is required to perform a computation to sign the 
information to be transferred and the receiver is required to perform a computation to verify the 
signed information. 

15 In a typical implementation a signature component s has the form:- 

s = ae + k (mod n) 

where: 

P is a point on the curve which is a predefined parameter of the system; 
k is a random integer selected as a short term private or session key; 
20 R = kP is the corresponding short term public key; 

a is the long term private key of the sender; 
Q = aP is the senders corresponding public key; 

e is a secure hash, such as the SHA-1 hash function, of a message m and the short term 
public key R; and 
25 n is the order of the curve. 

The sender sends to the recipient a message including m, s, and R and the signature is 
verified by computing the value ^' = (sP-eQ) which should correspond to R. If the computed 
values correspond then the signature is verified. 

In order to perform the verification it is necessary to compute a number of point 
30 multiplications to obtain sP and eQ, each of which is computationally complex. Where the 
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recipient has adequate computing, power this does not present a particular problem but where 
the recipient has limited computing power, such as in a secure token or a "Smart card " 
application, the computations may introduce delays in the verification process. 

Elliptic curve cryptography (ECC) provides a solution to the computation issue. ECC 
5 permits reductions in key and certificate size that translate to smaller memory requirements, 
which represent significant cost savings. ECC can not only significantly reduce the cost, but 
also accelerate the deployment of smart cards in next-generation applications. Additionally, 
although the ECC algorithm allows for a reduction in key size, the same level of security as 
other algorithms with larger keys is maintained. 
10 However, there is still a need to perform faster calculations on the keys so as to speed 

up the information transfer while maintaining a low cost of production of data transfer circuits, 

It is therefore an object of the present invention to provide a method and ^paratus in 
which at least some of the above disadvantages are obviated or mitigated. 



1 5 SUMMARY OF THE INVENTION 

In general terms, the present invention provides an opportunity to reduce the complexity 
required to perform an integral part of the cryptographic process, thereby increasing the speed 
at which it may be performed and reducing the computing power required to perform it. 

The present invention is a method for speeding up certain cryptographic operations on 

20 elliptic curves. The method is based on the following observation that given an elliptic curve 
having complex multiplication over a finite field. Then there is an X, which is the solution to a 
quadratic, for which a complex multiplication mapping is equivalent to multiplying a point by 
X. It will often be less computationally expensive to compute via XQ the complex 
multiplication map, compared to treating X as a integer and performing the EC multiplication. 

25 In practice, point multiplication by other scalars (not just X) is required. The multiplication by X 
map may be used to compute other multiples. 

In accordance with this invention there is provided a method for accelerating 
multiplication of an elliptic curve point Q(x,y) by a scalar k, the method comprising the steps 
of: 
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selecting an elliptic curve over a finite field Fq where q is a prime power such that there exists 
an endomorphism \\f, where v|/(Q) = X'Q for all points Q(x,y) on the elliptic curve; and 
using smaller representations ki of the scalar k in combination with the mapping v|; to compute 
the scalar multiple of the elliptic curve point Q. 

5 

BRIEF DESCRIPTION OF THE DRAWINGS 

These and other features of the preferred embodiments of the invention will become 
more ^parent in the following detailed description in which reference is made to the appended 
drawings wherein: 

10 Figure 1 is a schematic diagram of a communication system; 

Figure 2 is a flow chart showing a general method according to an embodiment of the 
present invention. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

15 For convenience in the following description, like numerals refer to like structures in 

the drawings. Referring to Figure 1, a data communication system 10 includes a pair of 
correspondents, designated as a senderl2, and a recipient 14, who are connected by a 
communication channel 16. Each of the correspondents 12,14 includes a cryptographic 
processor 18,20 respectively that may process digital information and prepare it for 

20 transmission through the channel 16 as will be described below. Each of the correspondents 
12,14 also includes a computational unit 19,21 respectively to perform mathematical 
computations related to the cryptographic processors 18,20. The computational power of the 
units 19,21 will vary according to the nature of the correspondents 12,14 but for the purpose of 
the present disclosure, it will be assumed that the unit 19 has greater power than that of unit 2 1 , 

25 which may in fact be a Smart card or the like. Cryptographic computations such as the 
multiplication of an elliptic curve point by a scalar value are computationally expensive. 

One of the fimctions of the cryptographic processor 18 is to perform point 
muhiplications of the form k-Q so that it may be used in a cryptographic scheme. In 
accordance with this invention there is provided a method for accelerating scalar multiplication 

30 of an elliptic curve point Q(x,y) is shown generally by the numeral 50. The subject algorithm 
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increases the speed at which the processors 12 can for example sign and verify messages for 
specific classes of elliptic curves. The method based on the observation that given the general 
equation for an elliptic curve E: 

+ aixy + asy = + a2X^ + a4X + 36 (1) 
5 over a finite field Fq (q is a prime power) and when there exists an endomorphism \|/, where 
i|/(Q) = X*Q for all points Q(x,y) on the elliptic curve, then multiplication of the point Q by an 
integer k may be accelerated by utilizing combinations of smaller representations ki of k in 
combination with the mapping The mapping \|; also allows precomputation of group 
elements and combinations thereof, which may be used in subsequent calculation of kQ. 
10 Referring now to figure 2, a flow chart of a general embodiment for accelerating point 

multiplication on an elliptic curve, according to the present invention, is shown by numeral 50. 
The system parameters are first determined. This involves selecting an elliptic curve. In a first 
embodiment of the invention the generalized elliptic curve (1) may be expressed in the 
following form: 

15 E: y^ = x'' + b mod p; where p is a prime (2) 

Firstly, the modulus p can be determined such that there is a number, y where y e Fp (Fp 
is the field of size p consisting of all 'integers mod p'), and y^ ^ 1 mod p (a cube root of unity). 
If for example p = 7, then y = 2, since 2^ mod 7 =1 . Such a y does not necessarily exist for all 
p, and therefore it must be taken into consideration when choosing the value of p. Typically, 

20 the chosen p should be at least 160 bits in length for adequate cryptographic strength. 

Consider next the mapping function vi;: (x, y) -> (yx, y), which simply maps one set of 
points on the curve to another set of points on the curve. Then, there exists an integer X such 
that \]f(Q) = X'Q for all points Q(x,y) on the elliptic curve, E. This integer k may be found by 
noting that = 1 mod n, where n is the number of points on the elliptic curve E over Fp i.e. no. 

25 of points on E(Fp). There may exist more than one solution for X in A.^ = 1 mod n, but only one 
of those solutions will satisfy the mapping function X|/. It is important to note that since y"^ mod 
p = 1, both Q and v|/(Q) satisfy the equation for E. Therefore, instead of having to perform 
lengthy calculations to determine the results of multipHcation by X, it can be done very 
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efficiently using the results of the moping function. That is, multiplication by X can be done 
very efficiently. 

These system parameters E, p, Q, X, v|/(Q), and y may now be stored in the card 12 at 
manufacture time for use by the cryptographic processor 18. The number of ki*s being used 
5 may also be determined at this time. 

It is possible to select a value for k such that: 

k = (ko + kiX)modn (3) 
where n is the number of points on E(Fp). For cryptographic operations such as encryption and 
Diffie-Helhnan, the processor 12 randomly generates the value for k and then computes k-Q 
10 (where Q is a point on E). In these cases, it would be possible to select values for ko and ki at 
random, having a length of [log2 (n)]/2 not including sign bits, and then calculate the value for 
k using equation (3). (i.e. the length of the k, 's are chosen to be at least one half the length k). 
The point k'Q then becomes: 

k-Q = (koQ + ki A,Q) mod n (4) 
15 Now, the right side of equation (4) can be calculated quickly using an algorithm analogous to 
the "Simultaneous Multiple Exponentiation" as described in the "Handbook of Applied 
Cryptography" by Menezes et. al.(Algorithm 14.88). For convenience the algorithm is 
reproduced below. It may be noted that in an additive group exponentiation is analogous to 
addition, thus replacing the multiplication in the algorithm with addition, yields the following: 



20 



25 



Algorithm 1 Simultaneous Multiple Addition 



INPUT: group elements go, gi, . . , g/-i and non negative t-bit integers eo, ei, . . ey.i. 
OUTPUT: goeo + giCi + ... + g/.ie/.i. 



stepl . Precomputation, For i from 0 to (2' - 1): 
where i = (i/.i ... loh 

step2. A <- 0 

step3. For / from 1 to / do the following: 
30 step4. Return (A) where A = goCo + gi ei + . . . + g/.i cm 
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Applying this algorithm to equation (4) it can be seen that there are two group elements, 
Q and XQ, and therefore 1-2. The results of Precomputation with / = 2 is shown in table 1 . 



/ 


0 


1 


2 


3 


G,- 


0 


go 


gi 


go + gi 



Table 1. 

5 

In the present situation, ko through ki is analogous to eo through ei, and go through gi is 
analogous to Q and \(/(Q) respectively. It is straightforward to compute \\f(Q) = A,'Q = (yx, y). 
The next step is to construct the following point: Q + vi/(Q). Thusly, it is possible to fill in table 
1 with the computed elements to yield table 2. These elements may be pre-computed and stored 
10 in memory. 



/■ 


0 


1 


2 


3 


G, 


0 


Q 


^(Q) 


Q + V|/(Q) 



Table 2. 

15 



Next a notional matrix or combing table may be constructed using the binary 
representation of k,. If, for example, ko = 30 and ki = 10, then the notional matrix constructed 
from their binary representation is shown in Table 3. 





Ii 


h 


I3 


I4 


Is 


Ko 


1 


1 


1 


1 


0 


K, 


0 


1 


0 


1 


0 



Table 3 

20 

Before step3 of the algorithm can be perfonned, I| through It have to be found. Here / has the 
value five since the maximum number of bits in the binary representation of k© through k| is 
five. I, is determined by the number represented in the /* column where the first row contains 
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the least significant bit. Therefore it can be seen from table 3 that Ii = 1, 12 = 3, 13 = 1, 14 = 3, 
and I5 = 0. All the components needed to complete the algorithm 64 are available and the 
results of step three are shown in table 4. 

5 





A 


1 


Q 


2 


3Q + v(Q) 


3 


7Q + 2v,/(Q) 


4 


15Q + 5v|;(Q) 


5 


30Q+ 10v|/(Q) 



Table 4 



Thus it may be seen that this method will require a number of point doubles equal to 
max{log2(ki)}, and almost as many point additions. The number of point additions can be 
10 reduced using windowing (Alg. 14.85 HAC) and exponent recoding techniques. The point 

additions are easily performed by retrieving the appropriate precomputed element G, from table 
2. To summarize, for cryptographic operations like encryption and Diffie-Hellman, where one 
must pick an integer k and compute points k'Q. One can first choose ko and ki at random, each 
having a length one half the length of n. When the k's are chosen in this way, the method 
15 seems to be as secure as the normal methods. Of course it is possible to choose the ki's to have 
fewer bits set in order to trade off between efficiency and security. 

In a second embodiment of the invention a different form of the generalized elliptic 
curve equation (1) is used, as show below. 

y^ = (x"* - ax) mod p (5) 
20 Once again, p will be a prime number having at least 160 bits. For this type of curve, the 
properties required for y are different. It is now required to find a value such that 

= -1 mod p, A change in the property of y requires a different mapping fimction v|;* to be 
used. In this embodiment the mapping takes the form v|/*: (x, y) -> (-x, yy). If (x,y) is on the 
curve, then \|/'(x,y) is on the curve. It is possible to note that =1 mod n (n is still the number 
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of point on E(Fp)), and therefore X can be calculated. The mapping w\Q) = ^"Q ^ before and 
once again multiplication by X can be done very efficiently for this curve. The equation for k in 
this embodiment is the same as in the first embodiment and is represented by: 

k = (ko + k,X)modn (6) 
5 This equation is the same as in the second embodiment, having only two group elements. Thus 
using the group elements Q and Q+ v|;'(Q) in the algorithm 1, the point k'Q may be calculated. 
This computation will require a number of point doubles equal to max{log2(ki)}, and a similar 
number of point additions. Thus described earlier the number of point additions can be reduced 
using windowing and exponent recoding techniques. 

10 This method applies to other eHiptic curves, so long as there exists an efficiently 

computable endomorphism, \\f. For cryptographic protocols, where we do not get to choose k, 
we must first find ko, ki of the desired "short" form such that k = (ko + k|X) mod n. This could 
be done using the L"* algorithm, for example. 

As may be seen in the embodiments described above when a point is known 

15 beforehand, tables can be built to speed multiplication. However, there are cases when 

multiples of previously unknown points are required (for example, this can occur in ECDSA 
verification). That is a k is provided and it is necessary then to determine suitable 
representations for kj. 

Thus in a third embodiment according to the present invention, the point Q, the required 
20 multiple k, and the complex multiplication multiple X are known. It is necessary to determine 
the ki's since the value for k is predetermined. A method for doing this described as follows. 
As a pre-computation (not requiring k) we compute two relations: 

ao + boX, = 0 mod n 

ai +bi>,^Omodn 

25 such that ai and bi are numbers smaller than n. It is preferable that aj and bj are as small as 
possible, however, the present method has advantages even when aj and b, are not minimal. 
Typically the method produces ko and ki having representations one half the size of the original 
k. 

To produce small aj and bj, it is possible to make use of the LLL algorithm, but in this 
30 preferred embodiment the simple extended Euclidean algorithm is employed on the pair (n, X). 
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The extended Euclidean algorithm on (n, X) produces linear combinations Cin + dj^ = where 
the representation of n (e.g. bit-length) decreases and the representation of q and dj increases 
with i. 

The two smallest values of |(di, n )| resulting from using the extended Euclidean 
5 algorithm are saved. The size of these vectors are measured with the squared Euclidean norm 
|(d„ r,- )| = dj^ + Ti^. Denote the terms in these minimal relations d^, Tq and d, , f, . Such relations 

will typically occur in the middle of the algorithm. Even if the minimal relations are not 
retained, suboptimal relations may still give the method an advantage in the calculation of point 
multiples. 

10 It is possible to construct ai and bi by setting ao = - , bo = do and ai = - f, , 

bi = do . The next task is to find a small representation for the multiple k. 

The relations can be viewed as vectors Uo = (ao, bo) and U] = (ai, bi). These vectors 
satisfy aj +bi>- = 0 (mod n). Define multiplication of the group elements Q by the vector v = 
(vo, V|) as (vo + viX)Q. Since aj +bi^ = 0 (mod n), we have UoR = UiR = 0 for any group 
1 5 element R. Hence for any integers zo and zi we have vR = (v - zqUq - zi Ui)R for any group 
element R. 

Integers zq and Zj may be chosen such that the vector v' v - zqUo - ziUi has 
components that are as small as possible. 

Again, this method will have an advantage if v' is small, but not necessarily minimally 
20 so. The appropriate zo and zi are calculated by converting the basis of v into the basis {uq, Ui}. 
The conversion between basis involves matrix multiplication. To convert the vector v - (vo, vi) 
from the {uo, ui} basis to the standard orthonormal basis {(1,0),(0,1)}, 

To convert in the other direction, from the standard orthonormal basis {(1,0),(0,1)} to the (uo, 
25 Ui) basis, the multiplication is simply by the inverse of M, 



«0 ^ 



"0"\ "l^O 
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Since the vector v - (k, 0) has a zero component, the bottom row of inverse(M) is not 
required, and therefore to convert to the {uo, ui} basis only the fractions 



5 are needed. 

Calculate z = (zo, zi), where z is defined as (zo, Zi) = (round(kQ, round(kfi)). The 
fractions fo and f| may be precomputed to enough precision so that this operation may be 
effected only with multiplication. Note also that the computations leading to these fractions do 
not depend upon k, therefore they can be computed once when the elliptic curve is chosen as a 
10 system parameter, and do not need to be recalculated for each k. 

Other vectors near to z will also be useful, therefore could be replaced with floor or ceiling 
functions or some other approximation. 

Now that a suitable z has been determined, an efficient equivalent to v is calculated by 
V = (vo', vi') = v - zqUo -Zi ui. The phrase "efficient equivalent" implies a vector v' such that 
15 v'P = vP and v' has small coefficients. The value kQ is then calculated as vq'Q + vi'XQ. This 
value can be calculated using simultaneous point addition, and non-adjacent form recoding can 
also have advantages. 

Using these methods to determine the value of k'Q greatly reduces the processing 
power required by the cryptographic processors 12. It also increases the speed at which these 
20 repetitive calculations can be done which, in turn, reduces the time to transfer information. 

Although the invention has been described with reference to certain specific 
embodiments, various modifications thereof will be apparent to those skilled in the art without 
departing from the spirit and scope of the invention as outlined in the claims appended hereto. 




and 
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THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE PROPERTY 
OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS: 

1 . A method for accelerating multiplication of an elliptic curve point Q(x,y) by a scalar k, 
5 the method comprising the steps of: 

a) selecting an elliptic curve over a finite field Fq where q is a prime power such that there 
exists an endomorphism v|/, where \|/(Q) = for all points Q(x,y) on the elliptic curve; and 

b) using smaller representations ki of the scalar k in combination with the mapping i|/ to 
compute the scalar multiple of the elliptic curve point Q. 

10 
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Figure 1 



CA 02257008 1998-12-24 





Initialization 




E 

q 

v(Q) 

Y 

X 










Determine number of kj's 


^ 




Precompute and store 
combination of group 
elements Q+\|/(Q), etc. 






Construct combing table 






Con^}ute kQ using 
precomputed elements 



Figure 2 
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